CVEs from 2018
Total
2,884
critical
critical 238
high
high 329
medium
medium 259
low
low 39
% Critical
8.3%
% with KEV
3.1%
% with exploit
9.0%
Top vendors
- intel 1,561
- schneider-electric 43
- siemens 42
- rockwellautomation 16
- echelon 15
- redhat 12
- oracle 9
- mitel 8
Top products
- core_i7 379
- core_i5 375
- core_i3 242
- xeon_e5 82
- xeon_e7 62
- xeon_e3 58
- xeon_gold 33
- atom_z 30
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-4192 | unknown | — | 1.0 | — | An issue was discovered in certain Apple products. iOS before 11.4 is affected. Safari before 11.1.1 is affected. iCloud before 7.5 on Windows is affected. iTunes before 12.7.5 on Windows is affected… | |||
| CVE-2018-4162 | unknown | — | 1.0 | — | An issue was discovered in certain Apple products. iOS before 11.3 is affected. Safari before 11.1 is affected. iCloud before 7.4 on Windows is affected. iTunes before 12.7.4 on Windows is affected. … | |||
| CVE-2018-4222 | unknown | — | 1.0 | — | An issue was discovered in certain Apple products. iOS before 11.4 is affected. Safari before 11.1.1 is affected. iCloud before 7.5 on Windows is affected. iTunes before 12.7.5 on Windows is affected… | |||
| CVE-2018-12904 | unknown | — | 1.0 | — | In arch/x86/kvm/vmx.c in the Linux kernel before 4.17.2, when nested virtualization is used, local attackers could cause L1 KVM guests to VMEXIT, potentially allowing privilege escalations and denial… | |||
| CVE-2018-6323 | unknown | — | 1.0 | — | The elf_object_p function in elfcode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, has an unsigned integer overflow because bfd_size_type multipli… | |||
| CVE-2018-13458 | unknown | — | 1.0 | — | qh_core in Nagios Core 4.4.1 and earlier is prone to a NULL pointer dereference vulnerability, which allows attackers to cause a local denial-of-service condition by sending a crafted payload to the … | |||
| CVE-2018-10906 | unknown | — | 1.0 | — | In fuse before versions 2.9.8 and 3.x before 3.2.5, fusermount is vulnerable to a restriction bypass when SELinux is active. This allows non-root users to mount a FUSE file system with the 'allow_oth… | |||
| CVE-2018-6389 | unknown | — | 1.0 | — | In WordPress through 4.9.2, unauthenticated attackers can cause a denial of service (resource consumption) by using the large list of registered .js files (from wp-includes/script-loader.php) to cons… | |||
| CVE-2018-4318 | unknown | — | 1.0 | — | A use after free issue was addressed with improved memory management. This issue affected versions prior to iOS 12, tvOS 12, Safari 12, iTunes 12.9 for Windows, iCloud for Windows 7.7. | |||
| CVE-2018-13441 | unknown | — | 1.0 | — | qh_help in Nagios Core version 4.4.1 and earlier is prone to a NULL pointer dereference vulnerability, which allows attacker to cause a local denial-of-service condition by sending a crafted payload … | |||
| CVE-2018-12938 | unknown | — | 1.0 | — | ||||
| CVE-2018-13457 | unknown | — | 1.0 | — | qh_echo in Nagios Core 4.4.1 and earlier is prone to a NULL pointer dereference vulnerability, which allows attackers to cause a local denial-of-service condition by sending a crafted payload to the … | |||
| CVE-2018-1160 | unknown | — | 1.0 | — | Netatalk before 3.1.12 is vulnerable to an out of bounds write in dsi_opensess.c. This is due to lack of bounds checking on attacker controlled data. A remote unauthenticated attacker can leverage th… | |||
| CVE-2018-1000888 | unknown | — | 1.0 | 3y ago | PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_Tar class. There are several file operations with `$v_header['filename']` as parameter (such as fil… | |||
| CVE-2018-25080 | unknown | — | 1.0 | 3y ago | Cross-site Scripting in MobileDetect | |||
| CVE-2018-17057 | unknown | — | 1.0 | 4y ago | An issue was discovered in TCPDF before 6.2.22. Attackers can trigger deserialization of arbitrary data via the phar:// wrapper. | |||
| CVE-2018-20434 | unknown | — | 1.0 | 4y ago | LibreNMS arbitrary OS commands execution | |||
| CVE-2018-7490 | unknown | — | 1.0 | 4y ago | uWSGI before 2.0.17 mishandles a DOCUMENT_ROOT check during use of the --php-docroot option, allowing directory traversal. | |||
| CVE-2018-10188 | unknown | — | 1.0 | 4y ago | phpMyAdmin CSRF vulnerability allowing arbitrary SQL execution | |||
| CVE-2018-10366 | unknown | — | 1.0 | 4y ago | User Plugin for October CSS Allows XSS | |||
| CVE-2018-10094 | unknown | — | 1.0 | 4y ago | Dolibarr SQL injection vulnerability | |||
| CVE-2018-11564 | unknown | — | 1.0 | 4y ago | Pagekit Stored Cross-site Scripting | |||
| CVE-2018-14058 | unknown | — | 1.0 | 4y ago | Pimcore SQLi Vulnerability | |||
| CVE-2018-14057 | unknown | — | 1.0 | 4y ago | Pimcore CSRF Vulnerability | |||
| CVE-2018-15845 | unknown | — | 1.0 | 4y ago | Gleez CMS CSRF Allows Adding of Administrator Accounts | |||
| CVE-2018-14059 | unknown | — | 1.0 | 4y ago | Pimcore XSS Vulnerability | |||
| CVE-2018-14840 | unknown | — | 1.0 | 4y ago | Subrion CMS Cross-site Scripting | |||
| CVE-2018-18548 | unknown | — | 1.0 | 4y ago | ajenticp (aka Ajenti Docker control panel) for Ajenti through v1.2.23.13 has XSS via a filename that is mishandled in File Manager. | |||
| CVE-2018-19246 | unknown | — | 1.0 | 4y ago | LFI in PHP-Proxy 5.1.0 | |||
| CVE-2018-19458 | unknown | — | 1.0 | 4y ago | Unauthenticated File Read in PHP Proxy | |||
| CVE-2018-19933 | unknown | — | 1.0 | 4y ago | Bolt Cross-site Scripting (XSS) via text input click preview button | |||
| CVE-2018-19799 | unknown | — | 1.0 | 4y ago | Dolibarr ERP and CRM contain XSS Vulnerability | |||
| CVE-2018-1306 | unknown | — | 1.0 | 4y ago | Exposure of Sensitive Information in Apache Pluto | |||
| CVE-2018-8718 | unknown | — | 1.0 | 4y ago | Cross-Site Request Forgery in Jenkins Mailer Plugin | |||
| CVE-2018-20418 | unknown | — | 1.0 | 4y ago | Craft CMS Cross-site Scripting (XSS) Vulnerability | |||
| CVE-2018-1042 | unknown | — | 1.0 | 4y ago | Moodle SSRF Vulnerability | |||
| CVE-2018-9160 | unknown | — | 1.0 | 4y ago | SickRage before v2018.03.09-1 includes cleartext credentials in HTTP responses. | |||
| CVE-2018-8947 | unknown | — | 1.0 | 4y ago | Plaintext Storage of Sensitive Information in Laravel Log Viewer before v0.13.0 | |||
| CVE-2018-8145 | unknown | — | 1.0 | 4y ago | ChakraCore information disclosure vulnerability | |||
| CVE-2018-7251 | unknown | — | 1.0 | 4y ago | Anchor CMS Logs Credentials | |||
| CVE-2018-10054 | unknown | — | 1.0 | 4y ago | Improper Input Validation in Datomic | |||
| CVE-2018-7198 | unknown | — | 1.0 | 4y ago | October CMS - RainLab Blog Plugin XSS | |||
| CVE-2018-8617 | unknown | — | 1.0 | 4y ago | ChakraCore RCE Vulnerability | |||
| CVE-2018-8466 | unknown | — | 1.0 | 4y ago | ChakraCore RCE Vulnerability | |||
| CVE-2018-8467 | unknown | — | 1.0 | 4y ago | ChakraCore RCE Vulnerability | |||
| CVE-2018-8384 | unknown | — | 1.0 | 4y ago | ChakraCore RCE Vulnerability | |||
| CVE-2018-8355 | unknown | — | 1.0 | 4y ago | ChakraCore RCE Vulnerability | |||
| CVE-2018-8291 | unknown | — | 1.0 | 4y ago | ChakraCore RCE Vulnerability | |||
| CVE-2018-8288 | unknown | — | 1.0 | 4y ago | ChakraCore RCE Vulnerability | |||
| CVE-2018-8229 | unknown | — | 1.0 | 4y ago | ChakraCore RCE Vulnerability | |||
| CVE-2018-8139 | unknown | — | 1.0 | 4y ago | ChakraCore RCE Vulnerability | |||
| CVE-2018-8133 | unknown | — | 1.0 | 4y ago | ChakraCore RCE Vulnerability | |||
| CVE-2018-14716 | unknown | — | 1.0 | 4y ago | SEOmatic plugin for Craft CMS SSTI Vulnerability | |||
| CVE-2018-1133 | unknown | — | 1.0 | 4y ago | Moodle calculated question type allows remote code execution by Question authors | |||
| CVE-2018-0980 | unknown | — | 1.0 | 4y ago | ChakraCore RCE Vulnerability | |||
| CVE-2018-0946 | unknown | — | 1.0 | 4y ago | ChakraCore RCE Vulnerability | |||
| CVE-2018-0934 | unknown | — | 1.0 | 4y ago | ChakraCore RCE Vulnerability | |||
| CVE-2018-0933 | unknown | — | 1.0 | 4y ago | ChakraCore RCE Vulnerability | |||
| CVE-2018-0860 | unknown | — | 1.0 | 4y ago | ChakraCore RCE Vulnerability | |||
| CVE-2018-0838 | unknown | — | 1.0 | 4y ago | ChakraCore RCE Vulnerability | |||
| CVE-2018-0837 | unknown | — | 1.0 | 4y ago | ChakraCore RCE Vulnerability | |||
| CVE-2018-0834 | unknown | — | 1.0 | 4y ago | ChakraCore RCE Vulnerability | |||
| CVE-2018-0835 | unknown | — | 1.0 | 4y ago | ChakraCore RCE Vulnerability | |||
| CVE-2018-0114 | unknown | — | 1.0 | 4y ago | Cisco node-jose improper validation of JWT signature | |||
| CVE-2018-14009 | unknown | — | 1.0 | 4y ago | Codiad remote code execution vulnerability | |||
| CVE-2018-19422 | unknown | — | 1.0 | 4y ago | Subrion CMS RCE Vulnerability | |||
| CVE-2018-12613 | unknown | — | 1.0 | 4y ago | phpMyAdmin Improper Authentication | |||
| CVE-2018-15727 | unknown | — | 1.0 | 4y ago | Grafana Authentication Bypass in github.com/grafana/grafana | |||
| CVE-2018-1002105 | unknown | — | 1.0 | 4y ago | In all Kubernetes versions prior to v1.10.11, v1.11.5, and v1.12.3, incorrect handling of error responses to proxied upgrade requests in the kube-apiserver allowed specially crafted requests to estab… | |||
| CVE-2018-19277 | unknown | — | 1.0 | 7y ago | XXE in PHPSpreadsheet due to encoding issue | |||
| CVE-2018-15812 | unknown | — | 1.0 | 7y ago | Insufficient Entropy in DotNetNuke | |||
| CVE-2018-18326 | unknown | — | 1.0 | 7y ago | Insufficient Entropy in DotNetNuke | |||
| CVE-2018-11770 | unknown | — | 1.0 | 8y ago | org.apache.spark:spark-core_2.10 and org.apache.spark:spark-core_2.11 Improper Authentication vulnerability | |||
| CVE-2018-8021 | unknown | — | 1.0 | 8y ago | Versions of Superset prior to 0.23 used an unsafe load method from the pickle library to deserialize data leading to possible remote code execution. Note Superset 0.23 was released prior to any Super… | |||
| CVE-2018-1321 | unknown | — | 1.0 | 8y ago | High severity vulnerability that affects org.apache.syncope:syncope-core | |||
| CVE-2018-1322 | unknown | — | 1.0 | 8y ago | Exposure of Sensitive Information to an Unauthorized Actor in Apache syncope-cope | |||
| CVE-2018-9206 | unknown | — | 1.0 | 8y ago | Unrestricted Upload of File with Dangerous Type in blueimp-file-upload | |||
| CVE-2018-1335 | unknown | — | 1.0 | 8y ago | Command injection in org.apache.tika:tika-core | |||
| CVE-2018-8269 | unknown | — | 1.0 | 8y ago | Denial of service in ASP.NET Core | |||
| CVE-2018-15685 | unknown | — | 1.0 | 8y ago | Electron webPreferences vulnerability can be used to perform remote code execution | |||
| CVE-2018-7750 | unknown | — | 1.0 | 8y ago | transport.py in the SSH server implementation of Paramiko before 1.17.6, 1.18.x before 1.18.5, 2.0.x before 2.0.8, 2.1.x before 2.1.5, 2.2.x before 2.2.3, 2.3.x before 2.3.2, and 2.4.x before 2.4.1 d… | |||
| CVE-2018-1000006 | unknown | — | 1.0 | 9y ago | Remote Code Execution in electron | |||
| CVE-2018-14863 | unknown | — | — | — | Incorrect access control in the RPC framework in Odoo Community 8.0 through 11.0 and Odoo Enterprise 9.0 through 11.0 allows authenticated users to call private functions via RPC. | |||
| CVE-2018-12322 | unknown | — | — | — | There is a heap out of bounds read in radare2 2.6.0 in _6502_op() in libr/anal/p/anal_6502.c via a crafted iNES ROM binary file. | |||
| CVE-2018-19843 | unknown | — | — | — | opmov in libr/asm/p/asm_x86_nz.c in radare2 before 3.1.0 allows attackers to cause a denial of service (buffer over-read) via crafted x86 assembly data, as demonstrated by rasm2. | |||
| CVE-2018-20459 | unknown | — | — | — | In radare2 through 3.1.3, the armass_assemble function in libr/asm/arch/arm/armass.c allows attackers to cause a denial-of-service (application crash by out-of-bounds read) by crafting an arm assembl… | |||
| CVE-2018-10186 | unknown | — | — | — | In radare2 2.5.0, there is a heap-based buffer over-read in the r_hex_bin2str function (libr/util/hex.c). Remote attackers could leverage this vulnerability to cause a denial of service via a crafted… | |||
| CVE-2018-10187 | unknown | — | — | — | In radare2 2.5.0, there is a heap-based buffer over-read in the dalvik_op function (libr/anal/p/anal_dalvik.c). Remote attackers could leverage this vulnerability to cause a denial of service via a c… | |||
| CVE-2018-20461 | unknown | — | — | — | In radare2 prior to 3.1.1, core_anal_bytes in libr/core/cmd_anal.c allows attackers to cause a denial-of-service (application crash caused by out-of-bounds read) by crafting a binary file. | |||
| CVE-2018-6249 | unknown | — | — | — | NVIDIA GPU Display Driver contains a vulnerability in kernel mode layer handler where a NULL pointer dereference may lead to denial of service or potential escalation of privileges. | |||
| CVE-2018-6253 | unknown | — | — | — | NVIDIA GPU Display Driver contains a vulnerability in the DirectX and OpenGL Usermode drivers where a specially crafted pixel shader can cause infinite recursion leading to denial of service. | |||
| CVE-2018-12368 | unknown | — | — | — | Windows 10 does not warn users before opening executable files with the SettingContent-ms extension even when they have been downloaded from the internet and have the "Mark of the Web." Without the w… | |||
| CVE-2018-0493 | unknown | — | — | — | remctld in remctl before 3.14, when an attacker is authorized to execute a command that uses the sudo option, has a use-after-free that leads to a daemon crash, memory corruption, or arbitrary comman… | |||
| CVE-2018-12689 | unknown | — | — | — | phpLDAPadmin 1.2.2 allows LDAP injection via a crafted server_id parameter in a cmd.php?cmd=login_form request, or a crafted username and password in the login panel. | |||
| CVE-2018-13410 | unknown | — | — | — | Info-ZIP Zip 3.0, when the -T and -TT command-line options are used, allows attackers to cause a denial of service (invalid free and application crash) or possibly have unspecified other impact becau… | |||
| CVE-2018-2638 | unknown | — | — | — | Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Deployment). Supported versions that are affected are Java SE: 8u152 and 9.0.1. Difficult to exploit vulnerability allows unaut… | |||
| CVE-2018-2790 | unknown | — | — | — | Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u… | |||
| CVE-2018-16883 | unknown | — | — | — | sssd versions from 1.13.0 to before 2.0.0 did not properly restrict access to the infopipe according to the "allowed_uids" configuration parameter. If sensitive information were stored in the user di… | |||
| CVE-2018-1116 | unknown | — | — | — | A flaw was found in polkit before version 0.116. The implementation of the polkit_backend_interactive_authority_check_authorization function in polkitd allows to test for authentication and trigger a… | |||
| CVE-2018-17794 | unknown | — | — | — | An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31. There is a NULL pointer dereference in work_stuff_copy_to_from when called from iterate_demangle_function. |